Yellowfin Team (Agent Role)
X-Frame-Options Header
Resolved
I've received a finding that Yellowfin isn't using X-Frame-Options: DENY in the HTTP Headers.
I've received a finding that Yellowfin isn't using X-Frame-Options: DENY in the HTTP Headers.
The same problem 
This can be resolved at the Tomcat level by implementing HTTP Header Security (Tomcat 8 +). Simply add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> tag:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> </filter> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>$optionHere</param-value> </init-param> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>Where $optionHere will signify one of: DENY, SAMEORIGIN, ALLOW-FROM. As documented in the Tomcat Configuration docs.
- Ryan
Comments have been locked on this page!